A mass-mailing worm with keylogging and backdoor capabilities is squirming
in the wild and software security experts are warning of possible hacker
intrusions into infected systems.

According to an advisory from
F-Secure, the Bugbear/Tanatos worm copies itself to Windows System directory
with a random name (JFMV.EXE for example) and adds a startup key to the
Registry.

F-Secure said the worm also drops a keylogging component as a DLL file with
a randomly-generated name (ZLQPUPP.DLL for example) to the Windows System
folder. It also creates two more DLL files and stores some encrypted data
there and creates two randomly named DAT files in root Windows folder too.

When run, the Bugbear/Tanatos worm's messages can contain an iFrame exploit
that allows it to run automatically on some computers when an infected
e-mail is viewed. Microsoft has fixed that bug and issued a patch on its home site.

https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
F-Secure, which provides anti-virus, file encryption and network security
software for the enterprise market, said the worm spreads in e-mail messages
as an attachment with randomly-generated names and with one or more
extensions.

"Subjects and bodies of infected e-mails are also different. The
mass-mailing routine is quite complex," the company said, noting that it is
enough to delete all the worm's files from an infected hard drive and
restart the system..

"If the worm is in a network environment, the network should be temporarily
taken down and all systems have to be disinfected separately. Otherwise the
worm will try to re-infect already cleaned systems," F-Secure warned.

After an infected system is cleaned, the company recommends all logins and
passwords be changed as they could have been compromised by the password
stealer component of the worm.

"It is also recommended to check infected systems and networks for possible
hacker intrusion that could have been performed through the backdoor
component of the worm," F-Secure added.

The company, which has placed a "level 2" alert from the mass-mailing worm,
said Bugbear/Tanatos continuously looks for and terminates processes by
listening to port 36794 and can provide access to an infected system and the
network it is connected to via an internal backdoor component.

The Bugbear/Tanatos worm, first detected on Monday September 30, also has
local network spreading capabilities. It enumerates network resources and
tries to locate the \Start Menu\Programs\Startup\ folder on remote
systems. If that path is found, the worm copies itself there with a random
name. When a remote system is restarted, the worm's file gets control and
infects a system, F-Secure warned.

"The backdoor component allows an attacker to access an infected system
through a web-based interface. The worm generates HTML pages on-the-fly when
an attacker browses directories on an infected remote computer," the company
warned, adding that the worm allows an attacker to get information about an
infected system: operating system, processor type, fixed and network drives.

"The worm has password stealing capabilities. It installs a keylogging
component to a system, records keystrokes and saves them into a file. Then
the worm sends this file to a few e-mail addresses that are stored in
encrypted for in the worm's body. The SMTP server names that the worm uses
to send the files are also stored in encrypted form in the worm's body,"
F-Secure added.

Loading Comments...

Advertiser Disclosure: Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.